Yahoo, which has since been acquired by Verizon and merged with AOL to form a joint entity called Oath (which is also the parent of TechCrunch), is arguably getting off pretty lightly here for a breach that impacted a whopping ~500M users.

Certainly given how large data protection fines can now scale under the European Union’s new privacy framework, GDPR, which also requires that most breaches be disclosed within 72 hours of discovery (rather than, ooooh, two years or so later in the Yahoo case… ).

The Information Commissioner’s Office (ICO) focused its investigation on the more than 515,000 affected UK accounts which the London-based Yahoo UK Services Ltd had responsibility for as a data controller.

And it found a catalogue of failures — specifically finding that Yahoo UK Services had: Failed to take appropriate technical and organisational measures to protect the data against exfiltration by unauthorised persons; had failed to take appropriate measures to ensure that its data processor — Yahoo! Inc — complied with the appropriate data protection standards; had failed to ensure appropriate monitoring was in place to protect the credentials of Yahoo! employees with access to Yahoo! customer data; and also that the inadequacies found had been in place for “a long period of time without being discovered or addressed”.

Commenting in a statement, the ICO deputy commissioner of operations, James Dipple-Johnstone, said: “People expect that organisations will keep their personal data safe from malicious intruders who seek to exploit it. The failings our investigation identified are not what we expect from a company that had ample opportunity to implement appropriate measures, and potentially stop UK citizens’ data being compromised.”

According to the ICO personal data compromised in the breach included names, email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.

It considered the breach to be a “serious contravention of Principle 7 of the Data Protection Act 1998” — which states that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.

Happily for Oath, GDPR does not apply historically because the UK’s domestic regime only allows for maximum penalties of £500k.

Reputation wise is perhaps another matter. Though, again, Yahoo had disclosed the breaches before the acquisition closed so any damage had already been publicly attached to Yahoo.

An Oath spokesman told us the company does not comment directly on regulatory actions — but pointed to several developments since Yahoo was acquired, including the doubling in size of the global security organization; the creation in March of a cybersecurity advisory board; and the relaunch in April of an integrated bug bounty program.

Also, as we reported last year, Yahoo’s chief information security officer, Bob Lord — who was in charge at the time the breach was unearthed — lost out to AOL’s Chris Nims in the merger process, with the latter taking up the security chief’s chair of the new umbrella entity, Oath.

Security is certainly now being generally pushed up the C-suite agenda for all organizations handling EU data as a consequence of GDPR concentrating minds on much more sizable legal liabilities.

The regulation’s data protection by design requirements also mean privacy considerations need to be baked into the data processing lifecycle, ergo policies and processes must be in place, alongside strong IT governance and security measures, to ensure compliance with the law — with the idea being to shrink the ability for attackers to intrude as happened so extensively in the Yahoo breaches.

“Under the GDPR and the new Data Protection Act 2018, individuals have stronger rights and more control and choice over their personal data. If organisations, especially well-resourced, experienced ones, do not properly safeguard their customers’ personal data, they may find customers taking their business elsewhere,” added Dipple-Johnstone.

Earlier this year the ICO issued a larger fine for a 2015 hack of Carphone Warehouse which compromised data of more than 3M people, and also included historical payment card details for a subset of the affected users.